Identity Proofing – A Primer

A PLAIN WHITE PAPER

Overview

Federal agencies have renewed their focus on identity proofing systems in response to risks of cyber threats and identity fraud. According to a recent study[1] by the Government Accountability Office (GAO), most agencies lacked the required controls necessary to identify and authenticate users with confidence to prevent fraudulent or unauthorized access to federal information systems. Identity proofing is now vital to evolving government business operations that demand accessibility while ensuring system integrity for services delivered. Key initiatives such as national electronic health records will mandate secure online management of patient identities and verification of entities that access this personal data.

This paper focuses on the various identity proofing methods and the level of assurance in utilizing each method to verify a user’s identity. It demonstrates examples of how risk-based behavior can be assessed to employ a layered verification approach to identity proofing. This methodology is a significant advance over traditional knowledge-based identity verification systems that result in excessive error rates and more often impinge on user privacy.

Why Proof an Identity?

Traditionally, identity authentication has been viewed as an aspect of:

Who the person is

What they possess

What they know

A result of the identity being verified provides applicable access and privileges to secure systems. While an identity needs to be authenticated and authorized before accessing any system, the identity must first be verified before it is created in a system and utilized for authorization. This process of verification prior to creation of an identity is called identity proofing. This primarily addresses the question of ‘You are who you say you are’ before a user identity or credential is created.

Identity Proofing Techniques

There are four types of identity proofing techniques with varying degrees of verification strengths in each approach. These techniques are listed below from the weakest to the most promising and secure method.

Classic Knowledge Based Authentication

Dynamic Knowledge Based Authentication

Out of Band Authentication

Risk-based Identity roofing

Classic Knowledge Based Authentication

This is the most commonly used and weakest methodology. In a classic knowledge based authentication, verification information is collected from the end user and presented in a future challenge/ response authentication session on demand. Examples of this technique are security questions such as, ‘What is your mother’s maiden name?’ The response to such questions is stored securely and recalled at a later date to verify an end user’s identity. This is the weakest identity proofing method as fraudsters can easily guess the answer to these questions by knowing a little bit about the end user.

Dynamic Knowledge Based Authentication

A dynamic knowledge based authentication method is a huge improvement over the classic method. This method usually produces questions on-the-fly based on the user’s public records or financial records history. Several data aggregators offer services for an out-of-wallet quiz and generate questions for an end user dynamically. Answers to these questions are difficult to guess by a fraudster since these are based on a user’s personal history. However this method is not rock solid and is still susceptible to breaches if the data sources themselves are infiltrated or get compromised. The ChoicePoint data breach in 2004 is a case in point, where personal information on several hundred thousand people was stolen including name, addresses and identification numbers. The other glaring issue with this approach is the reliance on the data aggregator’s ability to source various types of data and ensure verity when coalescing acquired data in relation to each identity. Poor quality data may lead to too many false positives devaluing this method and rendering it unusable.

Out Of Band

Out of band identity proofing (also known as OOB) involves the use of a verification channel that is not part of the active user authentication session. This method provides the user with either a One Time Password (OTP) or verification of a biometric identifier (For example: Voice). An example of this type of authentication is one time security text or password sent by SMS to the user that they can then use in their authentication session. Another method utilizes biometric identifiers; the system calls the end user on their designated number and verifies their voice against a previously stored voice print. The Out of Band technique is promising as it cannot be emulated easily by fraudsters and usually requires multi- factor authentication.

Risk and Behavior based Identity Proofing

Risk and behavior based identity proofing is based on the assessment of risk and needed assurance to refine decisions about whether identities should be allowed or denied access to a system or resources within a system.
The use of risk-based metrics to evaluate identity fraud is not a new concept. Risk and behavioral based analytics on credit and purchasing behavior have been used extensively since the 1980’s to reduce fraud in the financial sector. For instance, a well-known financial services fraud solution (FALCON) is currently used to evaluate a large percentage of all domestic credit card transactions. This solution has shown to cut financial industry losses in half since its launch.

Which method is better?

Rather than depending exclusively on any one method of identity proofing, a combination of factors should be considered.

These factors include but are not limited to:

The risk to the asset

Level of assurance needed

Compliance of required controls.

Depending on these factors, an organization may determine to apply a layered methods approach to verify an identity. The goal here is not only to verify the identity but also to ensure that the identity proofing requirement does not impede an end user’s system performance experience. It would be overkill if the system interrupts the work flow at each step and causes disruption to verify a user’s identity when there is no apparent risk assessed. Identity proofing should not be limited to the initial setup of an identity credential. The ideal implementation assesses risk and behavioral parameters throughout the user’s access lifecycle to determine the level of assurance required to authenticate an identity. For example, a certain user usually accesses their system between 8am and 5pm every day, but on a particular day logs in at 7am. This may not be an apparent threat to the system but the risk level is elevated as the event is an anomaly from the user’s historical behavioral pattern. In this instance, as the assessed risk is low, a challenge / response session would help confirm the user’s identity. However, if the user’s log in at 7am exhibits access behavior that is clearly an outlier to normal access patterns, then this indicates a high level of risk to the system and needs to be mitigated by a more stringent form of identity proofing or by locking out access to the user account.

Conclusion

As the risks of cyber threats and fraud have increased in recent years, identity management is now a mission-critical program requirement for many Federal agencies to incorporate trusted identity verification systems to protect access to online systems and services.

Unissant understands the stringent requirements for an online government identity proofing solution and has the experience in the methodology, technology and processes to provide a mission-critical identity proofing system that utilizes a layered risk and behavior based approach to verify identities in government information systems.

References & Bibliography

[1] United States, United States Government Accountability Office, GAO-09-701T, Testimony, Agencies Make Progress in Implementation of Requirements, but Significant Weaknesses Persist, 19 May 2009.

About the Author

Ninad Mhadolkar has been instrumental in creating identity and fraud prevention solutions for many Fortune 100 companies. He possesses deep domain knowledge in identity proofing and was part of the team that pioneered consumer facing identity solutions utilizing layered identity proofing techniques to detect identity fraud for large financial and risk assessment institutions.

Unissant is an innovative software development and consulting company that manages complex initiatives, solves data challenges, and transforms business. Unissant brings technical excellence and program/project execution best practices that exceed the expectations of our clients in the Banking and Finance, Health and Life Sciences, National Security, and Federal/Civilian sectors.